from the apocalypse-in-a-box dept

We've discussed at length how the rush to market by Internet of Things companies and evangelists with nary a thought toward security has left us all immeasurably less safe. Whether it's smart door locks that are easily bypassed, smart vehicles that can be remotely controlled, or smart electrical outlets being used as the cornerstone of nasty new botnets, we're effectively all living in a barely-believable dystopian novel at this point. And as we've noted repeatedly, this would all be kind of funny if it weren't for the fact that inevitably, these vulnerabilities are going to result in very real, and potentially massive human deaths.

And each week it seems like we're bearing witness to a new, deeper and uglier chapter in the saga of the internet of not-remotely-secure things. This week, it's the revelation by hackers that they've found another way to exploit a weakness in the Touchlink aspect of the ZigBee Light Link system at the heart of Phillips' Hue "smart" light bulbs. More specifically, hackers have demonstrated a way to control every smart bulb in your home by pushing malicious firmware updates, without setting a foot inside of the residence:

"The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs, according to researchers at the Weizmann Institute of Science near Tel Aviv and Dalhousie University in Halifax, Canada. That may not sound like a big deal. But imagine thousands or even hundreds of thousands of internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them."

As we've been noting, these compromised devices are then being used in some of the biggest and most potent denial-of-service attacks we've ever seen. According to the full research paper (pdf), the attack can be launched either via war driving (sitting in a vehicle) or by drone (in their test demonstration they were 70 meters, or 229.7 feet, away). More frighteningly, perhaps, the researchers posit that they could damage entire cities via this method using "readily available equipment costing a few hundred dollars" to forge "lightbulb worms":

"In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack"

Comforting. The report notes that the attack is thanks, in part, to the fact that while the ZLL Touchlink Commission protocol does use encryption to encode the "Master ZLL Key" sent to new devices joining the network, this key is shared among all devices and was leaked online last year. They're also quick to note that once a lightbulb has been infected with the worm, there's no way to reverse this short of replacing the light bulb:

"An important observation is that unlike computers or smart phones, this kind of attack is irreversible. There is no way to re-flash the Philips Hue lights firmware to get rid of our worm, and the only possible solution is to replace the lightbulb with a new one. Note that in order to prevent the new lightbulb from being infected in the same manner, the user must wait for a software patch to be available from the manufacturer before installing it."

So yes, you left the store with a "smart" lightbulb thinking you'd just have some sexy mood lighting, but were shocked to find a mini-apocalypse in a box once you got your purchase home. Thanks, internet of broken things!

from the Patch-notes:-Adds-'buyer's-remorse' dept

The world of connected devices is upon us and things have never been better. Criminals can access your email account by breaking into your fridge. Your child's toys and your television record your conversations and send them to manufacturers' servers, where criminals are (again) able to access them. Your home thermostat goes HAL 9000 and attempts to set your house on fire. And, now, your light bulbs won't do the one thing you expect them to do: produce light.

Philips just released firmware for the Philips Hue bridge that may permanently sever access to any “non-approved” ZigBee bulbs.

[...]

The recent change seems to suggest any non-Philips bulbs from manufacturers such as Cree, GE, and Osram will not be supported in many situations, whereas “Friends of Hue” branded product are. At the time of publication, it’s unclear whether 3rd party bulbs will stop working immediately after the firmware update or if they may only become inaccessible after the bridge is reset. We’re also not sure if being “reset” means rebooted or factory reset. This appears to apply to both the round v1 bridge and square v2 HomeKit-compatible bridge after the latest firmware update is applied.

ZigBee is the open, global standard of choice for connected lighting applications providing ease-of-use and low-cost installation and maintenance for both consumers and business.

Philips uses ZigBee, which should mean any bulbs compatible with this standard will work with its Hue fixtures. Not anymore. The firmware update removes this support, limiting this "open, global" standard to Philips' own bulbs and those it has designated as "Friends of Hue."

Literally. Philips has just slapped fans like us in the face and kicked interoperability out the door. Without any communication they delivered a new firmware to the system that disables adding products that they don't approve of. Basically they are banning other Zigbee Light Link products despite the fact that they are a Connected Lighting Alliance member whose mission is to promote interoperability.

As it seems (and unless this is just a huge mistake on Philips' side), they have without a warning turned their open product into a walled garden. They have also destroyed the value of the solutions that the customers have set up based on Philips' promises.

And the worst thing is that Philips has done this to their most enthusiastic fans. To the early adopters. To those who enthusiastically recommended the system to their friends.

Philips only began delivering nonsensical statements about its removal of previously-existent functionality after the complaints began to roll in. And like so many other companies that have wielded this DRM-esque tactic against their own customers, the excuses offered may as well just read "because this makes us more money." Seriously, are any of Philips' pissed off purchasers really going to believe this excuse?

While the Philips Hue system is based on open technologies we are not able to ensure all products from other brands are tested and fully interoperable with all of our software updates. For guaranteed compatibility you need to use Philips Hue or certified Friends of Hue products.

TL;DR: While technically an open system, we've closed it because $$$. These early adopters have already performed the heavy lifting on the compatibility end. They're the ones who have road-tested ZigBee-compliant bulbs and reported their findings to others. So, when a company removes support (by pushing a firmware update without prior warning) for compatible bulbs and claims the issue is "compatibility," it's so blatantly false as to be laughable. Unless you can't laugh, because you already bought one.

And Philips is apparently incredibly socially awkward. Trying to find which other bulbs are supported as "Friends of Hue" via Philips' websites is pointless. One just leads you to a page informing you that you can use Siri to control your lights. Searching for "Friends of Hue" brings you to another Philips website… which only lists products sold by Philips. In fact, while the "program" appears to allow third parties to sell products for its Hue line, it appears that every new development is sold under the Philips brand, which means that the competitiveness the phrase "Friends of Hue" implies is, in reality, no competition at all.

A walled garden is still a walled garden, no matter how beautifully lit it is. Philips has chosen to screw paying customers by locking them out of their choice of bulbs in pursuit of maximum profitability. There's nothing smart about that decision.

from the backwards-thinking dept

The EU has now followed the US and Australia in coming up with plans to ban incandescent lightbulbs in favor of more efficient bulbs, such as compact fluorescent bulbs or LED-based lighting. I understand why these bans are being put in place. The incandescent bulbs are inefficient and wasteful, and the thinking is that forcing the move to CFLs or other types of bulbs will be good for the environment.

However, this doesn't take into account the unintended consequences of this move. Already, there's been a big push to move people to CFLs, and that's created a situation where the makers of CFLs have worked hard to improve the quality of the bulbs (a big complaint) as well as add in features that used to not be found in CFLs, such as dimming. It's also pushed the makers of CFLs to find efficiencies by which they can make the bulbs cheaper. They're doing this because they know they need to compete with incandescent bulbs -- and in many cases it's working.

Yet, banning incandescents from the market place means that the makers of CFLs now have a lot less competition. They don't have to work as hard to make the lights better. They don't have to work as hard to make them more efficient and cheaper. They've basically been given a gift that means they can slow down the process of making those bulbs that much better for the environment. That seems like a mistake.

from the taking-away-natural-incentives dept

Earlier this month, we pointed out that Ireland had joined Australia in setting a date for banning incandescent lightbulbs. There had been talk about the US following suit, and now it (almost) has, approving legislation that would phase out inefficient bulbs by 2012, such as the incandescents that most people still use. Once again, though, we have to point out how counterproductive a move like this seems. Already, more and more people were moving to more efficient bulbs naturally, as they realized how much money they actually saved with them. For those who complained about the type of light given off by the fluorescents, that just gave more incentives for the makers of CFLs to make the light better match incandescent bulbs. The competition also gave more incentives to make CFLs cheaper and even more efficient, as well as coming up with ways to make the (already seriously overhyped) worries about mercury, less of an issue. However, if politicians take away the competition from incandescents, it suddenly gives the makers of CFLs a lot less incentive to come up with these kinds of innovations and breakthroughs.

from the it's-not-a-joke dept

American politicians have been toying with such legislation for a while, and Australian politicians have already approved similar legislation, but it appears that Irish politicians are in something of a rush to ban incandescent lightbulbs. New legislation would ban the sale of the traditional lightbulbs as of January 2009 -- basically just one year. The Australian plan, that was approved earlier this year, would phase out the bulbs by 2010. While we can understand the basic reasoning, it's still unclear why a full ban is really necessary. Fluorescent bulbs keep getting cheaper and cheaper (and better and better in quality) than incandescent bulbs. They last so much longer and use so much less energy that it won't be long until most people voluntarily move to fluorescents, without any unnecessary ban on incandescents.

from the bright-idea dept

The environment continues to be a hot-button political issue, as it presents a chance for politicians to score some easy points with the public by mandating all sorts of new laws and restrictions to prove their green credentials. But this political grandstanding overshadows the fact that many green or clean technologies offer economic benefits to those who use them -- for instance, making facilities more energy-efficient isn't about companies just wanting to be nicer to the planet, it's about cost savings too. One example of this in the consumer realm is fluorescent lightbulbs. Despite their higher upfront cost, their longer life and lower power consumption offers substantial savings over traditional incandescent bulbs. Given these cost savings (as well as the ongoing improvement in the bulbs' quality and decrease in price), it would seem to be a matter of time before fluorescent bulbs will become more popular and they push incandescents out of the market. But that hasn't stopped politicians from all over to push for laws banning or phasing out incandescent bulbs, and it now appears that the US Congress will add such legislation to a wide-ranging energy bill that's expected to be voted on in October. The legislation would begin phasing out incandescents in 2012, and then by 2020, would call for lighting standards that could be met only by compact fluorescent bulbs or ones with equivalent efficiency. Lighting manufacturers aren't happy with the timetable, saying it's too quick, and add that they're exploring several different technologies to improve the efficiency of lighting, including more efficient incandescent bulbs, new types of halogen lamps and LEDs. It would certainly seem that the market will sort this issue out on its own, as technology improves and more consumers become aware of the cost savings that fluorescents and other types of bulbs can offer. But it would also seem that the brownie points on offer are too hard to refuse for politicians who want to make it look like they're making a difference to the environment.